Strengthening the Cloud: ISO 27017 and ISO 27018
As the global usage of cloud technology continues to grow, businesses must strategically consider the risk of storing protected information and explore security options in order to protect their information systems. There are multiple security standards for cloud services providers and users to utilize in order to secure the cloud-based environment and minimize potential risk of a security incident.
Because of the way in which cloud services operate across different locations, an international standard is necessary in order to satisfy the security requirements of clients. ISO, or the International Standardization Organization, has created a standard specialized for cloud companies. That is where ISO/IEC 27017 and 27018, cloud-based compliance frameworks are able to assist cloud organizations.
ISO 270017 is designed to assist in the recommendation and implementation of controls for cloud-based organizations. This is relevant to organizations who store information in the cloud, but also for organizations who provide cloud-based services to other organizations who may have sensitive information.
This standard is built upon the ISO 27002 standard, but allows for specific controls to be added for the needs of cloud organizations and their end-users.
ISO 27018 is, again, designed for cloud computing organizations but specifically is designed to protect personally identifiable information stored and/or processed in the cloud. In addition, this standard is primarily focused on the standards relevant to cloud providers, not customers.
This standard creates an additional level of customer confidence, specifically when working with organizations who handle sensitive information. This standard provides for the practical application of minimum protection standards that should be implemented to maximize client and end-user assurance.
Why Get Certified?
For cloud providers, ensuring the safety of consumer information is the number one priority. In light of recent breaches that have compromised user data, receiving certification through an international standard provides an organization with the globally accepted security controls. It also demonstrates to the cloud provider’s customers the importance they place on protecting consumer data. This provides a unique marketing advantage to firms that are able to tout their ability to confidently secure customer information.
While some organizations seek certification to conform to their unique regulatory needs or the needs of their clients, other organizations should consider ISO 27017 or ISO 27018 in order to minimize both the risk inherent to cloud-services organizations, and the potential cost of a breach. Adhering to the rigid guidelines of ISO 27017 and 27018 allows your organization to operate with confidence and build a reputation of trust with your clients.